CN101965709B - Secret information management apparatus, information processing apparatus, and secret information management system - Google Patents

Abstract

Provided is a device by means of which a secret key can be safely backed up even when using a role-based access structure that uses roles to specify the access structure. An all-combination generator (107) obtains a backup participant user list (201) which is a list of the users participating in the backup and a list of the active roles that are active for those users, and a role-based access structure (202) which is a combination of specified roles that can recover a secret key (205). The all-combination generator then plugs the users listed in the backup participant user list (201) into the specified roles, and generates all-combination extraction results, which are all the combinations of users that can recover the secret key. A duplicate user/role deletion unit (108) and the like then delete, from the all-combination extraction results, combinations such as those in which a user is duplicated. A general access structure secret distributer (114) then generates secret key fragments from the secret key, and distributes the secret key fragments to the user combinations, from which duplicates have been eliminated.

Description

Secret information management devices, information processor and secret information management system

Technical field

The present invention relates to for disperseing and manage the technology of privacy key.

Background technology

In the past, implemented the privacy key backup mode with secret dispersion technology.

This is following technology: by privacy key being divided into to a plurality of privacy key segments, and take care of respectively each privacy key segment by a plurality of managers, can keep in confidence the content of privacy key, and be backed up safely (for example, non-patent literature 1).

In this mode, except privacy key being divided into to several such Segmentation Number N, be gerentocratic number, if can also specify will be wherein several privacy key segments (manager) here can restore such restored concerning the number k of privacy key, so have for example by being made as k<N, even a manager has lost the privacy key segment, also can restore the such feature of privacy key.

In addition, following secret dispersion technology has also been proposed: by research, cut apart privacy key segment is distributed to gerentocratic distribution method, can restores privacy key (for example, patent documentation 1) by gerentocratic combination arbitrarily.

In this mode, when having N manager P1～PN, specify following access structure: specified the combination of the privacy key segment that can have by which manager to restore the access structure of privacy key.

For example, when having 3 (P1, P2, P3) managers, be illustrated in the privacy key segment that privacy key needs 2 managers to have in restoring, and a people wherein is in the situation of manager P1, as { { P1, P2}, { P1, P3}}, specified access structure.

Then, according to access structure, privacy key is carried out to secret and disperse, thereby be divided into N privacy key segment.

Then, each manager is entrusted to the privacy key segment, thereby only when the manager of the combination by the access structure appointment is here, can restore privacy key.

On the other hand, in enterprise's internal information system in recent years, utilizing the access control (Role-Based Access Control, RBAC) (for example, non-patent literature 2) based on the role.

This is to stipulate the role according to effect, institutional framework in work, and the role is specified to the structure of access rights.

And then, there is hierarchical structure by making the role, can carry out the succession of authority.

In addition, by the role registered user, can carry out the access control for the user.

Even produced change of personnel, user's registration of only changing for the role gets final product, so be suitable for enterprise's internal information system.

For example, as the role, make minister role, section chief role, minister role is provided to the authority of being settled accounts, section chief role is provided to the authority of making payment document.Then, registered user in minister role " minister Tanaka ", registered user in section chief role " Suzuki section chief " and " assistant rattan section chief ".Thus, can carry out the Suzuki section chief, assistant rattan section chief can make payment document, minister Tanaka can be settled accounts such access control.In addition, by making minister's role succession section chief role's authority, can make minister Tanaka also can implement document and make.In addition, in the situation that high bridge becomes new section chief, can, only by registration high bridge section chief in section chief role, revise simply access rights.

Patent documentation 1: the 5th page～10 pages, TOHKEMY 2002-217891 communique

Non-patent literature 1:A.Shamir " How to Share a Secret " Communications of the ACM, v.22n.11, p.612-613, Nov.1979

Non-patent literature 2:David F.Ferraiolo, D.Richard Kuhn, Ramaswamy Chandramouli work " Role-Based AccessControl " ARTECH HOUSE, INC.,, P6～16 in 2003

Summary of the invention

In privacy key backup mode in the past, when having N manager P1～PN, specified the combination of the privacy key segment that can have by which manager to restore privacy key.

But, owing in enterprise's internal information system, adopting RBAC, so consider that backup also uses the role by the RBAC regulation to specify access structure about privacy key.

Herein, because the Diagonal look is registered a plurality of managers, so likely in access structure, repeat the assigned role this point from the past different.

In secret dispersing mode in the past, the manager P1～PN of take by the access structure appointment is that different managers is prerequisite, so imagination is not specified same role to the gerentocratic combination of access structure.

Therefore, when repeating to have specified same role, existence can't judge that how carrying out secret disperses to generate the privacy key segment, and according to which type of combination, the privacy key segment is distributed to better such problem of manager.

For example, if can restore privacy key in the situation that the privacy key segment that 1 minister and 2 sections chief have is here, as access structure, be appointed as { minister role, section chief role, section chief role }.

Then, establish according to secret dispersing mode in the past and generated minister with privacy key segment B for privacy key segment A for privacy key segment, section chief, section chief.

Herein, produce which type of combination section chief should be distributed to the such problem of section chief according to privacy key segment AB.

As situation 1, in the situation that section chief is distributed to respectively to Suzuki section chief, assistant rattan section chief, high bridge section chief with this two side of privacy key segment AB, if certain 1 section chief in minister Tanaka and Suzuki/assistant rattan/high bridge section chief is here, the privacy key segment is here, so can be decrypted privacy key.

This has departed from the situation that 1 minister and 2 sections chief are here could be decrypted such condition to privacy key, and can restore privacy key by number still less, so not preferred on safety.

As situation 2, consider section chief by the some situations that is distributed to each section chief in privacy key segment AB.

Herein, establish the Suzuki section chief is distributed to section chief with privacy key segment A, assistant rattan/high bridge section chief is distributed to privacy key segment B.

In this case, can restore privacy key in the situation that these 3 of minister Tanaka, Suzuki section chief, assistant rattan sections chief are here, but, in these 3 of ministers Tanaka, assistant rattan section chief, high bridge section chief, privacy key segment deficiency, can't restore the such problem of privacy key so produce.

As mentioned above, have following problem: the manager by access structure appointment in the past is appointed as prerequisite with the combination by diverse manager P1～PN, in the situation that specified the role who repeats, can't judge that how to distribute the privacy key segment better.

One of main purpose of the present invention is for solving problem as described above, and its main purpose is, even in the situation that use has utilized the role the to specify access structure based on the role of access structure is also realized the privacy key backup safely.

Secret information management devices of the present invention is extracted out and is become the gerentocratic user of cutting apart secret information more than 2 of cutting apart from secret information from a plurality of users, and this secret information management devices is characterised in that to have:

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, the assigned role information that to obtain the role representation more than 2 be assigned role; And

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, becomes the gerentocratic user's of cutting apart secret information combination.

It is characterized in that, the existence of described assigned role information obtaining section obtains the situation that at least 2 assigned roles is repeated to mean same role's assigned role information,

Described user's extraction unit is in the situation that described assigned role information repeats to mean same role, extract respectively the user out at least 2 assigned roles as same role, and, from the combination that becomes the gerentocratic user of cutting apart secret information, remove distributed same user's combination as at least 2 assigned roles of same role.

It is characterized in that, the existence of described user role information obtaining section obtains the situation of the user's who means to possess the role more than 2 user role information,

Described secret information management devices also has combination simultaneously and forbids the Role Information obtaining section, this combines simultaneously forbids that the Role Information obtaining section obtains the combination when role is forbidden in combination simultaneously of the role representation more than 2 that will forbid distributes same user and forbids Role Information

Described user's extraction unit is extracted the user out for each assigned role, and, from the combination that becomes the gerentocratic user of cutting apart secret information, removes with combination simultaneously, forbidding corresponding at least 2 combinations that assigned role has distributed same user of role.

It is characterized in that, the existence of described user role information obtaining section obtains the situation of the user's who means to possess upper role user role information, and wherein, this upper Role including other roles more than 1 are as the next role,

Described secret information management devices also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

The inclusion relation that described user's extraction unit is represented according to inclusion relation information, in the situation that be assigned role by some the next role representations in assigned role information, derivation is as the next role's of assigned role upper role, extraction possesses the role's who meets with the next role as assigned role user, and is mapped and extracts the user who possesses the role that the upper role with the next role as assigned role meets out with this next role.

It is characterized in that, described secret information management devices also has combination simultaneously and forbids the Role Information obtaining section, this combines simultaneously forbids that the Role Information obtaining section obtains the combination when role is forbidden in combination simultaneously of the role representation more than 2 that will forbid distributes same user and forbids Role Information

Described user's extraction unit is in the situation that the next Role including is forbidden the role in combination simultaneously, from the combination that becomes the gerentocratic user of cutting apart secret information, remove combination is simultaneously forbidden to the combination that some other assigned roles that the next role's that comprises in the role upper role and combination are simultaneously forbidden comprising in the role have distributed same user.

It is characterized in that, described secret information management devices also has the secret information cutting part, and this secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generates and cuts apart secret information.

Information processor of the present invention, have: access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role; And

The combination extraction unit, extract the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of consistent and each the permission person role of executor role's execution user role represented with described execution user profile and described permitted user information.

It is characterized in that, there is following situation in described execution user profile obtaining section: obtain the situation as the execution user profile of carrying out the user role upper role that to mean other Role includings more than 1 be the next role,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge that whether executor role is corresponding with the next role who carries out user role, in executor role and the corresponding situation of the next role of carrying out user role, whether each permission person role that judgement is combined with this executor role some consistent with in the permitted user role.

It is characterized in that, there is following situation in described permitted user information obtaining section: the situation of the upper role's that to obtain as the permitted user role representation be the next role by other Role includings more than 1 permitted user information,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge that whether each permission person role is corresponding with permitted user role's the next role, and extract following combination out: the combination that at least a portion of all permission person roles and remaining permission person role corresponding with permitted user role's the next role and permitted user role are consistent.

Information processor of the present invention has:

Access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role; And

The combination extraction unit, extract the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of the execution user role that executor role and each permission person role are represented with described execution user profile and described permitted user information.

It is characterized in that, there is following situation in described execution user profile obtaining section: obtain the situation as the execution user profile of carrying out the user role upper role that to mean other Role includings more than 1 be the next role,

There is following situation in described permitted user information obtaining section: the situation of the upper role's that to obtain as the permitted user role representation be the next role by other Role includings more than 1 permitted user information,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge executor role and each permission person role whether with the next role who carries out user role and permitted user role's the next role in some corresponding, and extract following combination out: some corresponding at least a portion of executor role and all permission person roles and the next role who carries out user role and permitted user role's the next role, and the remainder in executor role and all permission person roles with carry out user role and permitted user role in some consistent combination.

It is characterized in that, described combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role.

Secret information management system of the present invention has:

Access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role;

The combination extraction unit, this combination extraction unit is extracted the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of consistent and each the permission person role of executor role's execution user role represented with described execution user profile and described permitted user information; This combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and wherein, the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role;

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, obtain the assigned role information generated by described combination extraction unit;

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, becomes the gerentocratic user's of cutting apart secret information combination; And

The secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generate and cut apart secret information.

Secret information management system of the present invention has:

Access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role; And

The combination extraction unit, this combination extraction unit is extracted the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of the execution user role that executor role and each permission person role are represented with described execution user profile and described permitted user information; This combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and wherein, the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role;

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, obtain the assigned role information generated by described combination extraction unit;

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, becomes the gerentocratic user's of cutting apart secret information combination; And

The secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generate and cut apart secret information.

It is characterized in that, described user's extraction unit generates together with the role that generated user's combination is possessed with each user the combination extract information meaned,

Described secret information management devices also has:

Role Information deletion section, each user's of deletion role's information from described combination extract information;

User's repetition in the situation that the combination of same subscriber that had repeated combination in described combination extract information, is removed from this combination by duplicate customer information commons section;

Repeated combination deletion section, in the situation that have in described combination extract information that user's only DISPLAY ORDER is different, the combination repeated is removed in the combination more than 2 of having combined same subscriber; And

Ineffective treatment combination deletion section, in described combination extract information, some users' combination is contained in the situation in other users' combination, removes the combination be contained in other combinations.

According to the present invention, the role who possesses according to each user and the combination of assigned role, extraction becomes the gerentocratic user's of cutting apart secret information combination, even so in the situation that, with the access structure based on the role of access structure that utilized the role to specify, also can realize safely the privacy key backup.

The accompanying drawing explanation

Fig. 1 is the figure of structure example that the privacy key back-up device of execution mode 1 is shown.

Fig. 2 is that the figure of the structure example of user's guide look is participated in the backup that execution mode 1 is shown.

Fig. 3 is the figure that the example of user's guide look is participated in backup that execution mode 1 is shown.

Fig. 4 is the figure of structure example that the access structure based on the role of execution mode 1 is shown.

Fig. 5 is the figure of example that the access structure based on the role of execution mode 1 is shown.

Fig. 6 is the figure of structure example that role's hierarchical information of execution mode 1 is shown.

Fig. 7 is the figure of example that role's hierarchical information of execution mode 1 is shown.

Fig. 8 is that when execution mode 1 is shown, validation is forbidden the figure of the structure example of role combinations.

Fig. 9 is the figure that when execution mode 1 is shown, validation is forbidden the example of role combinations.

Figure 10 is the figure of structure example that restored concerning the combination of extracting out of execution mode 1 is shown.

Figure 11 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (extracting all combinations out).

Figure 12 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (same user role delete after).

Figure 13 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (after validation forbids that the role deletes simultaneously).

Figure 14 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (Role Information delete after).

Figure 15 is the figure of the example of restored concerning the combination of extracting out (after the duplicate customer information commons) that execution mode 1 is shown.

Figure 16 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (repeated combination delete after).

Figure 17 is the figure of the example of restored concerning the combination of extracting out that execution mode 1 is shown (ineffective treatment combination delete after).

Figure 18 is the flow chart of action case that the privacy key back-up device of execution mode 1 is shown.

Figure 19 is the figure that the example of user's guide look is participated in backup that execution mode 1 is shown.

Figure 20 is the flow chart of hardware configuration example that the privacy key back-up device of execution mode 1 is shown.

Figure 21 is the figure of structure example that the privacy key standby system of execution mode 2 is shown.

Figure 22 is the figure of structure example that the backup permitted user guide look of execution mode 2 is shown.

Figure 23 is the figure of structure example that the access control policy of execution mode 2 is shown.

Figure 24 is the figure of example that the access control policy of execution mode 2 is shown.

Figure 25 is the figure that the example of user profile is carried out in backup that execution mode 2 is shown.

Figure 26 is the flow chart of action case that the privacy key standby system of execution mode 2 is shown.

(description of reference numerals)

101: the privacy key back-up device; 102: backup is participated in the user and is had a guide look of obtaining section; 103: the access structure obtaining section based on the role; 104: role's hierarchical information obtaining section; 105: validation is forbidden the role combinations obtaining section simultaneously; 106: backup object privacy key obtaining section; 107: all combination producings section; 108: same user role deletion section; 109: validation is forbidden role's deletion section simultaneously; 110: Role Information deletion section; 111: duplicate customer information commons section; 112: repeated combination deletion section; 113: ineffective treatment combination deletion section; 114: the secret through part of general access structure; 2101: the access structure generating apparatus based on the role; 2102: access control policy; 2103: user profile is carried out in backup; 2104: the guide look of backup permitted user; 2105: the access control policy obtaining section; 2106: the user profile obtaining section is carried out in backup; 2107: backup permitted user guide look obtaining section; 2108: backup authority extraction unit; 2109: effective access rights extraction unit; 2110: the access structure generating unit based on the role; 3000: the privacy key standby system.

Embodiment

(execution mode 1)

In the present embodiment, be described as follows technology: in the situation that with the access structure based on the role of access structure that utilized the role to specify, reference identifies oneself with the user in backup and is carried out the validation role of validation by this user, obtain with access structure in the past similarly according to the access structure based on the user of Subscriber Unit appointment, thereby realize safely the privacy key backup with secret dispersion technology in the past.

Fig. 1 is the functional structure chart of the privacy key back-up device 101 of present embodiment.

Privacy key back-up device 101 is to extract the gerentocratic user's who becomes the privacy key segment (cutting apart secret information) more than 2 of cutting apart from privacy key (secret information) device from a plurality of users out, is the example of secret information management devices.

In Fig. 1, backup is participated in the user and had a guide look of obtaining section 102 and obtain: the backup of guide look that means to identify oneself with the guide look of the user in backup and carried out the validation role of validation by this user is participated in the user and is had a guide look of information 201 (below, be called backup and participate in the user and have a guide look of 201).

To describe in detail in the back, it is as shown in FIG. 2 and 3 that backup participation user has a guide look of 201, means that a plurality of users carry out respectively the role's of validation information, is the example of user role information.

In addition, backup is participated in the user and is had a guide look of the example that obtaining section 102 is user role information obtaining sections.

Access structure obtaining section 103 based on the role obtains the access structure information 202 based on the role (below, be called the access structure 202 based on the role) as the role's that can restore privacy key combination.

To describe in detail in the back, the access structure 202 based on the role is as shown in FIG. 4 and 5, by the role representation more than 2, for restoring the information of combination, is the example of specifying Role Information.

In addition, can restore the role who comprises in combination and be called assigned role.

Access structure obtaining section 103 based on the role is the examples of specifying the Role Information obtaining section.

Role's hierarchical information obtaining section 104 obtain to role by RBAC regulation between the relevant role's hierarchical information 203 of the hierarchical structure that associates.

To describe in detail in the back, role's hierarchical information 203 is as shown in Fig. 6 and Fig. 7, means the information of upper role and the next role's inclusion relation, is the example of inclusion relation information.

That is the role who, exists backup participation user to have a guide look of the user shown in 201 has followed the situation of other roles (comprising as the next role).

Like this, in the situation that certain user has made to follow upper role's validation of other roles, preferably make the user of upper role's validation can also utilize the next role's authority and make the management of access rights become easy.Therefore, use role's hierarchical information 203 of the relation of following between the role that shows.

In addition, role's hierarchical information obtaining section 104 is examples of inclusion relation information obtaining section.

Simultaneously validation forbids that role combinations obtaining section 105 obtains when meaning that the user must not carry out role's the combination of validation validation simultaneously and forbids role combinations information 204 (below, be called validation simultaneously and forbid role combinations 204).

To describe in detail in the back, validation forbids that role combinations 204 is as shown in FIG. 8 and 9 simultaneously, to forbid that the role representation more than 2 that same user carries out validation simultaneously forbids role's information of (role is forbidden in combination simultaneously) for validation simultaneously, be to combine the example of forbidding Role Information simultaneously.

; existence participates in backup the situation that the user of the role's validation more than 2 appears making in having a guide look of 201 in the user; under these circumstances; for not to the same user of role's duplicate allocation more than 2, use validation when showing the user and must not carry out role's the combination of validation simultaneously to forbid role combinations 204.

In addition, validation forbids that role combinations obtaining section 105 is to combine the example of forbidding the Role Information obtaining section simultaneously simultaneously.

In addition, even in the situation that certain user has made to follow upper role's validation of other roles, also not to the same user of role's duplicate allocation more than 2, need to consider the relation of following (inclusion relation) between the role.Therefore, also the role's hierarchical information 203 that shows the relation of following between the role is contrasted, judged whether to forbid corresponding to the while validation role's combination.

Backup object privacy key obtaining section 106 obtains the user and wants the privacy key 205 backed up.

All combination producings section 107 applies backup by the role who comprises in the access structure 202 to based on the role and participates in the user that the user has a guide look of record in 201, generate as all combinations of the user that likely can restore privacy key, all combinations extract results out.

; 107 pairs of backups of all combination producings section participate in users have a guide look of each user shown in 201 the role, with each assigned role shown in access structure 202 based on the role, compare; extract the user who makes role's validation of meeting out for each assigned role; combine extracted out user according to the combination of assigned role, and become the gerentocratic user's of privacy key segment combination.

All combination producings section 107 is in the situation that using certain the next role as assigned role and in being shown in the access structure 202 based on the role, derivation is as the next role's of assigned role upper role, extraction makes the user of derived upper role's validation, and is mapped and extracts the user who makes upper role's validation out with this next role.

All combination producings section 107 is examples of user's extraction unit.

Same user role deletion section 108, extract out in results in all combinations, in the situation that the user that belongs to certain role has repeated, deletes this entry, and generate same user role, deletes result.

; existence repeats to show same role's situation (in the example at Fig. 5 at least 2 assigned roles in the access structure 202 based on the role; combination number No1); in this case; 107 pairs of assigned roles more than 2 as same role of all combination producing sections (RoleA and RoleA) are extracted respectively the user out, but the combination that the assigned role more than 2 as same role (RoleA and RoleA) has been distributed to same user is removed by same user role deletion section 108.

In addition, as mentioned above, in the situation that the next role specifies the role, all combination producings section 107 also in the lump using this next role's upper role also as user's extraction object, but its result, exist distribute same user's situation as same role's the assigned role more than 2.

For example, at RoleD, be the upper role of RoleA, assigned role is in the situation of " RoleA and RoleA ", to " RoleA and RoleA ", repeats to extract out and the corresponding same user of RoleD, generates same user's combination.Under these circumstances, same user's combination is also got rid of by same user role deletion section 108.

Validation is forbidden role's deletion section 109 simultaneously, at same user role, delete in result, certain user makes, in the situation of role's validation of a plurality of combinations of being forbidden role combinations 204 appointments by the while validation, to delete this entry, and generate validation simultaneously, forbids that the role deletes result.

In addition, in the access structure 202 based on the role, show the combination of different assigned roles (in the example of Fig. 5, combination number No2) in situation, in the situation that same user makes a plurality of role's validations, even different assigned roles, all combination producings section 107 also repeats to extract out same user.Under these circumstances, validation forbids that 109 removals of role's deletion section are to forbidding with the while validation combination that the corresponding assigned role more than 2 of role combinations 204 has distributed same user simultaneously.

In addition, as mentioned above, in the situation that the next role specifies the role, all combination producings section 107 using this next role's upper role also in the lump as user's extraction object.Now, validation is forbidden having illustrated in role combinations 204 in the next role's situation at the same time, simultaneously validation forbid role's deletion section 109 remove to this upper role and simultaneously validation forbid role combinations 204 other role assignments same user's combination.

In addition, same user role deletion section 108 is also the example of user's extraction unit.

Role Information deletion section 110, although validation forbids that the role deletes in result at the same time, also record the affiliated role of user in the lump, deletes this Role Information, and generate Role Information, deletes result.

Duplicate customer information commons section 111 in the situation that same user occurred in Role Information each entry in deleting result, by removing it as repetition, generates duplicate customer information commons result.

Repeated combination deletion section 112, in duplicate customer information commons result, the record order of removing user profile only is different and mean the repeated combination of identical user's combination, thereby generate repeated combination, deletes result.

Ineffective treatment combination deletion section 113, in repeated combination, delete in the entry of result, removal is included in the combination of the user shown in other entries, as the user's that can back up combination and nonsensical combination, thereby generate the access structure based on the user that user's information is put down in writing.

The secret through part 114 of general access structure is for the access structure according to based on the user, and privacy key 205 is carried out to secret function of disperseing.

That is, the secret through part 114 of general access structure is cut apart the privacy key 205 as secret information, and generates privacy key segment (cutting apart secret information).

The secret through part 114 of general access structure is examples of secret information cutting part.

Next, according to Figure 18, the action of the privacy key back-up device 101 of present embodiment is described.

At first in S1801, backup is participated in the user and is had a guide look of the backup of guide look that obtaining section 102 obtains the guide look that shows the user in the backup that the system of identifying oneself with or application program manage and carried out the role of validation by this user and participate in the user and have a guide look of 201.

Fig. 2 illustrates this backup participation user and has a guide look of 201 structure.

Backup is participated in the user and is had a guide look of 201 and list the participation user name 2011 of listing and respectively participate in validation role 2012 right that the user has carried out activation in backup.

In the example shown in Fig. 3, the user UserC that makes role RoleC activation can be shown and participate in or make role RoleA and the role RoleB situation that the user UserA of validation participates in simultaneously etc.

Next, in S1802, access structure obtaining section 103 based on the role, from the security strategy that system or application program are managed, obtains the access structure based on the role 202 as role's's (assigned role) that can restore privacy key 205 combination.

Fig. 4 illustrates the structure of this access structure 202 based on the role.

Access structure 202 based on the role is constituted by the numbering of the combination of the numbering that means entry and restoring of recording and narrating with operators such as role and AND/OR.

In the example shown in Fig. 5, in combination number No1, be to be designated as in the situation that there are 2 in the user of role RoleA, can restore the example of privacy key 205, in combination number No2, be designated as that user by role RoleA must be listed so that the user of the user of the user of role RoleB, role RoleC or role RoleD in certain 2 be listed, can restore the example of privacy key 205.

Next, in S1803, role's hierarchical information obtaining section 104, from the security strategy that system or application program are managed, obtains the role's hierarchical information 203 associated between the role by the RBAC regulation.

Fig. 6 illustrates the structure of this role's hierarchical information 203.

The succession source case which role is role's hierarchical information 203 inherit by role and the expression of the object as the definition layer aggregated(particle) structure forms.

The role means can also bear the responsibility of inheriting source case.

For example, as shown in Figure 7, being recited as the role is that RoleD, succession source case are in the situation of RoleA, means the responsibility of all right playing role RoleA of user belonged in role RoleD.

That is, RoleD is upper role, and RoleA is the next role, and RoleD comprises RoleA.

Next, in S1804, simultaneously validation forbids that role combinations obtaining section 105 is from the security strategy that system or application program are managed, and obtains validation when meaning that the user must not carry out role's the combination of validation simultaneously and forbids role combinations 204.

Fig. 8 illustrates the structure that this while validation is forbidden role combinations 204.

Simultaneously validation forbid role combinations 204 by the numbering that means entry forbid numbering and with the role with must not carry out the role combinations of forbidding that role's number of validation records and narrates and form simultaneously.

In the example shown in Fig. 9, in forbidding numbering No1, be that the role more than 2 who is appointed as in role RoleA, role RoleB and role RoleC must not carry out the example of validation simultaneously, in forbidding numbering No2, be appointed as in role RoleA, role RoleC and role RoleD until 2 roles can carry out validation simultaneously, but must not carry out the example of validation more than 3 simultaneously.

Next, in S1805, backup object privacy key obtaining section 106 obtains the user and wants the privacy key 205 backed up, and the secret information of managing as system or application program.

This privacy key 205 can be the privacy key of known RSA (Rivest-Shamir-Adleman) (registered trade mark) password for example, it can be also perhaps the key of AES (AdvancedEncryption Standard, Advanced Encryption Standard) password.

Next, in S1806, the assigned role comprised in 107 pairs of access structures 202 based on the role of all combination producing sections, application is backed up and is participated in user and the validation role that the user has a guide look of record in 201, thereby generates all combinations, all combinations extraction results as the user that likely can restore privacy key 205.

Now, if to role definition hierarchical structure, also consider that this hierarchical structure comes user application and validation role.In addition, also put down in writing in the lump the assigned role by original 202 appointments of the access structure based on the role with bracket.

Figure 10 illustrates the structure that result (combination extract information) is extracted in these all combinations out.

The numbering of result by the combination of the numbering that means entry extracted in all combinations out; With enumerated user, validation role and restoring of assigned role and constituted.

Example shown in Figure 11 is that results are extracted in the example of example according to Fig. 3, Fig. 5, all combinations that the example of Fig. 7 is produced out.For example, in the combination number No1 of Fig. 5, assigned role RoleA and assigned role RoleA have been specified, in the example of Fig. 3, participate in user name UserA and there is validation role RoleA with participation user name UserD, so generate combination number No1, the No2 of Figure 11, the combination of these 4 entries of No3, No4.

In addition, UserA@RoleA (RoleA) refers to, the user UserA that can exercise the authority of role RoleA is configured to the assigned role RoleA of the original access structure based on the role 202.

, in combination number No1, No4, assigned role RoleA is repeated to be provided with same user herein, but delete and repeat in following step, thus do not mind repetition in this step, and list all combinations.

For combination number No5～No12 of Figure 11, generate similarly.In addition, role RoleD/RoleE/RoleF is owing to having inherited role RoleA, processed so also can be used as the user who belongs in role RoleA, but, owing to there not being the user who makes role RoleD/RoleE/RoleF validation, impacted so can not extract result out to all combinations.

On the other hand, if UserA makes the RoleD validation as shown in figure 19, for UserA, for the combination No1 of Fig. 5, as meeting with RoleA and extracting out, for the combination No2 of Fig. 5, as with RoleA, RoleB and RoleD, meeting and extract out.

Next, in S1807, result, in the situation that the user in having repeated to belong to certain validation role or assigned role in each entry of all combinations extraction result deletes this entry, is deleted and generate same user role by same user role deletion section 108.

In addition, in the situation that to role definition hierarchical structure, validation role, assigned role in set membership also are considered as to same role and delete repetition.

The structure that same user role is deleted result is identical with Fig. 8, the value difference of only preserving.

Figure 12 has deleted the result of the entry that comprises same user role according to Figure 11, the combination number No1 of Figure 11 has reused UserA@RoleA (RoleA), and combination number No4 has been reused UserD@RoleA (RoleA), so it is detected and is deleted.In the present example, the validation role is identical with assigned role two sides, but also can be in the situation that can be considered as identical the deletion by some.

In addition, if UserA makes the RoleD validation as shown in figure 19, according to inheritance, combination No1 for Fig. 5, extract out in result and comprise 2 " UserA@RoleD (RoleA)+UserA@RoleD (RoleA) " such entries in all combinations, but, by same user role deletion section 108, delete this 2 entries.

Next, in S1808, validation is forbidden role's deletion section 109 simultaneously, at same user role, delete in result, certain user make a plurality of by Fig. 9 the time validation forbid in the situation of role's validation of combination of role combinations 204 appointments, delete this entry, and generate validation simultaneously, forbid that the role deletes result.

In addition, in the situation that to role definition hierarchical structure, for the role in set membership, also with the while validation, forbid that role's condition compares, if forbidden combination is arranged, delete this entry.

Simultaneously to forbid that the role deletes the structure of result identical with Figure 10 for validation, only the value difference of preservation.Figure 13 deletes and has utilized validation simultaneously to forbid the result that role's entry obtains according to Figure 12, combination number No5 and No6 for Figure 12, user UserA makes role RoleA and role RoleB validation simultaneously, but what in Fig. 9, validation was forbidden role combinations 204 forbids numbering in No1, in the time of role RoleA and role RoleB, validation is prohibited, so it is detected and deletes.

In addition, if UserA makes the RoleD validation as shown in figure 19, according to inheritance, combination No2 for Fig. 5, extract out in result and comprise " UserA@RoleD (RoleA)+UserA@RoleB (RoleB)+UserB@RoleC (RoleC) " in all combinations, " UserA@RoleD (RoleA)+UserA@RoleB (RoleB)+UserA@RoleD (RoleD) " such entry, but what in Fig. 9, validation was forbidden role combinations 204 forbids numbering in No1, in the time of role RoleA and role RoleB, validation is prohibited, so forbid role's deletion section 109 these entries of deletion by the while validation.

Next, in S1809, Role Information deletion section 110, although validation forbids that the role deletes in result validation role (role after@) and the assigned role (role that bracket is interior) also recorded in the lump under the user at the same time, but delete this its Role Information, become role's information deletion result next life.

The structure that Role Information is deleted result is identical with Figure 10, and difference is, as restoring the only user's information that combines, specifies.

Figure 14 has deleted the result of Role Information according to Figure 13, be the right of user name/role in the past, but the result of having deleted Role Information has only been specified and can have been restored combination by user name.

Next, in S1810, duplicate customer information commons section 111 in the situation that same user occurred in Role Information each entry in deleting result, removes it as repetition, thereby generates duplicate customer information commons result.

The structure of duplicate customer information commons result is identical with Figure 10, as restoring the only user's information that combines, specifies this point difference.

Figure 15 removes according to Figure 14 the result that the user repeat obtains, and in the combination number No7 of Figure 14 and No11, has repeated user UserB in can restoring combination, so delete this repetition, cuts down into user UserB and only occurs 1 time.

Next, in S1811, repeated combination deletion section 112, in duplicate customer information commons result, the record order of removing user profile only is different and mean the repeated combination of identical user's combination, thereby generate repeated combination, deletes result.

The structure that result is deleted in repeated combination is identical with Figure 10, as restoring the only user's information that combines, has carried out appointment this point difference.

Figure 16 deletes user's the record result that sequentially different combinations obtains according to Figure 15, in the combination number No2 and No3 of Figure 15, only the record of user UserA and user UserD order is different, so remove this repetition.

Next, in S1812, ineffective treatment combination deletion section 113, in repeated combination, delete in the entry of result, removal is included in the combination of the user shown in other entries and as the user's that can back up the nonsensical combination of combination, thereby generates the access structure based on the user that user's information is put down in writing.

The structure of the access structure based on the user is identical with Figure 10, as restoring the only user's information that combines, is specified this point difference.

Figure 17 deletes and to be included in the result that the entry in other entries obtains according to Figure 16, because the combination number No8 of Figure 16 is if can restore key in combination number No7, automatically sets up, so be considered as being included in No7, deletes.

Similarly, combination number No9 and combination number No10 are included in combination number No2, and combination number No12 is included in combination number No11, so delete.

Finally, in S1813, the secret through part 114 of general access structure, according to the access structure based on the user, carries out secret to privacy key 205 and disperses.

Provide as input by the access structure with the user profile record using shown in Figure 17, can carry out secret according to conventional art and disperse, so generate the privacy key segment by these technology according to privacy key 205.

Then, the participation user who receives is distributed to this privacy key segment in Fig. 2.Certainly, even, to there is no the user who occurs in restored concerning the combination of Figure 17, also can there be the situation that there is no distributed privacy key segment in the user who puts down in writing in Fig. 2.

In addition, in distribution, for example, by LAN (Local Area Network, local area network (LAN)) etc. the expansion cards such as splicing ear, pci bus such as network, the IC-card be connected with device or USB storage connect bus etc., to the user who the becomes object privacy key segment of providing and delivering.

In addition, the all combinations that generate in all combination producings section 107 are extracted out in results, put down in writing in the lump the assigned role (role bracket in) of record in the access structure 202 based on the role and carried out the validation role (@role afterwards) of validation by the user together with user profile.

In the situation that want shortcut calculation, also can only put down in writing some in assigned role, validation role.Special in the situation that do not support role's hierarchical structure, can cut down the deal with data amount, so be effective.

In addition, in the situation that the access structure based on the role is simple structure, also can put down in writing in the lump assigned role, validation role, and only list user profile.

In addition, in the manner, there is hierarchical structure in hypothesis in the role, simultaneously validation is forbidden the role, but, according to the software of RBAC, does not support role's hierarchical structure, while validation to forbid role's software with ining addition.

In this case, also can omit all combination producings section 107, same user role deletion section 108, simultaneously validation forbid use in role's deletion section 109 processing of role's hierarchical structure, simultaneously validation forbid detection in role's deletion section 109 simultaneously validation forbid role's processing.

In addition, in the manner, after having determined that whom user in identifying oneself with backup is, this user is generated to all combinations and extract results out.

Instead, also can be made as backup and participate in the user and have a guide look of obtaining section 102 and obtain all user profile that belong in the role, no matter whether list, all by all user profile of all combination producing section's 107 use, generate all combinations in backup.

In addition, for same user role deletion section 108 and simultaneously validation forbid role's deletion section 109, its processing sequence in no particular order, so also can the order of putting down in writing in Fig. 1 be exchanged.

About duplicate customer information commons section 111, repeated combination deletion section 112, ineffective treatment combination deletion section 113, its processing sequence also in no particular order, so so long as secret through part 114, also can in arbitrary portion, implement processing from all combination producings section 107 to general access structure.

Forbid role combinations obtaining section 105 for the while validation, so long as, before validation is forbidden the processing of role's deletion section 109 at the same time, also can implement in arbitrary portion.

For backup object privacy key obtaining section 106, so long as, before the processing of the secret through part 114 of general access structure is implemented, also can implement in arbitrary portion.

In addition, in the present embodiment, according to the Role Information that is carried out validation by the user, process, automatically be made as effective Role Information but the system that also can add replaces the user and processed.In addition, also can be with the manager to the role of user assignment, the role's of user registration information is processed.

As mentioned above, in the situation that specified access structure with the role, the backup of the role's who is used as the user that identifies oneself with in privacy key backup and this user to carry out activation guide look is participated in the user and is had a guide look of 201 information, generate user's information and carry out the access structure of appointment, so can carry out the backup of privacy key with the secret dispersion technology in the past of the access structure based on the user of only supporting the record of user's information.

In addition, from the viewpoint that treatment step is made clear, step S1806, step S1807, step S1808 are recited as respectively to different steps.But, from viewpoints such as the reduction of memory use amount, processing speed raisings, also can carry out described 3 steps simultaneously.That is, can in the process S1806 that generates all combinations extraction results, not generate the entry that same user role repeats yet, and then, the entry that comprises that validation is forbidden the role simultaneously do not generated yet.In this case, although result is extracted in all combinations out, be to become very large table, directly generate validation simultaneously owing to can not generating it and forbid that the role deletes result, so realize that the reduction of memory use amount, processing speed improve.

In addition, the same user role that all combinations that generate in step S1806 extract results out, generate in step S1807 deletes result, in step S1808, generate in validation forbid that the role deletes result, the Role Information that generates is deleted result in step S1809, the duplicate customer information commons result generated in step S1810, the repeated combination that generates in step S1811 are deleted result, in the situation that the access structure based on the user generated in step S1812 is empty, there do not is the combination of cutting apart secret information, therefore be made as mistake.

In addition, by in the RBAC model to role's definition layer aggregated(particle) structure, can carry out the succession of authority, and consider that hierarchical structure that the user carries out the role of activation generates all combinations and extracts results out, even so in the situation that utilized role's hierarchical structure, also can correctly explain that the access structure 202 based on the role generates the access structure based on the user, privacy key be carried out to secret and disperse and generation privacy key segment.

In addition, owing to selecting and utilizing the user profile of listing in backup, so can cut down the complexity of the access structure based on the user, distribute the situation of privacy key segment with all users to registered and compare, can cut down generation processing, the segment number of privacy key segment.

In addition, in same user role deletion section 108, the situation that the user who belongs in certain validation role or assigned role is repeated to count is detected, so can eliminate a user to be counted as a plurality of users, obtains than the danger of the more privacy key segment of imagination.

In addition, validation is forbidden in role's deletion section 109 at the same time, carry out the utilization inspection that the while validation is forbidden the role when privacy key backs up, the combination of forbidding the role is detected to deletion, so can support the Dynamic SoD strategy by NIST RBAC model definition.

In addition, in Role Information deletion section 110, duplicate customer information commons section 111, repeated combination deletion section 112, ineffective treatment combination deletion section, extract out to delete Role Information and only by the access structure of user profile appointment, carry out the inspection of repetition, inclusion relation and delete unwanted entry, so can generate the access structure based on the user, can generate the privacy key segment according to privacy key with the secret dispersing mode had as the general access structure of conventional art.

(execution mode 2)

Execution mode 1 is using the privacy key backup mode in the situation combination of the role as restoring privacy key, that access structure based on the role receives as input.

But, in RBAC, use access control policy information (below, also referred to as access control policy) to carry out the management access authority, so system operator must noncontradictory ground maintenance access control strategy and these 2 of access structures based on the role.

Therefore, in present embodiment 2, be described as follows technology: when using RBAC, according to the access control policy of having recorded and narrated the operation of the operators such as manager, general user license, automatically generate the access structure based on the role, thus the management of access structure that need to be based on the role.

Figure 21 is the functional structure chart of the privacy key standby system 3000 of present embodiment.

Access structure generating apparatus 2101 based on the role is for the access control policy information according to having recorded and narrated the operation of the operators such as manager, general user license, automatically generates the device of the access structure based on the role.As the appending function of privacy key back-up device 101 to shown in execution mode 1, utilize.

In Figure 21, privacy key 205, role's hierarchical information 203, backup object privacy key obtaining section 106, role's hierarchical information obtaining section 104 are identical with execution mode 1, so description thereof is omitted.

Access control policy 2102 is the information of having recorded and narrated operation to the operators such as manager, general user license (below, be called access rights), is the information of utilizing in the RBAC system with use together with this device.

Access rights generally, as shown in Figure 23, Figure 24, consist of the permit operation object of the license role name (will permit the role also to be called executor role) that means " to whom ", expression " what " and the permit operation content of expression " how doing ".

And then, optionally specified the permission person of " condition " that a plurality of expressions permit.

This permission person is not user name but specifies by role (permission person role), sometimes in the situation that do not need license not specify.In addition, the permission person role's of record quantity N is variable herein, so be different values for each system.By listing a plurality of their access rights, and formed access control policy 2102.

Like this, access control policy 2102 is license roles that the access of the privacy key (secret information) for having limited access is licensed and license role license is illustrated to a plurality of information for the permission person role's more than 1 of the access of privacy key combination.

It is to want to carry out user's the execution user name of back-up processing and the validation role's that this user carries out validation guide look that user profile 2103 is carried out in backup.

As shown in figure 25, be by the execution user name that can determine individual subscriber and carried out the information that validation role 1～validation role M of the role of validation forms as the user.Validation role's the quantity M of record is the quantity that the user has carried out the role of validation herein, so be the value that the situation when being backed up changes.

Like this, backup is carried out user profile 2103 and is meaned the information of execution for the execution user's of the access of privacy key validation role (execution user role), is the example of carrying out user profile.

Backup permitted user guide look 2104 be using permitted backup carry out the user's that the user backed up user name and when having carried out license the validation role's of validation combination as the information of list.

As shown in figure 22, be using permitted backup the user the permitted user name and when permitted user has been carried out license validation the validation role to the structure as list.

Like this, backup permitted user guide look 2104 means has permitted the information for the validation role (permitted user role) of the permitted user of the access of privacy key to carrying out the user, is the example of permitted user information.

Access control policy obtaining section 2105 is to obtain the function of access control policy 2102.

Access control policy obtaining section 2105 is examples of access control policy information obtaining section.

It is to obtain the function that user profile 2103 is carried out in backup that user profile obtaining section 2106 is carried out in backup.

It is to carry out the example of user profile obtaining section that user profile obtaining section 2106 is carried out in backup.

Backup permitted user guide look obtaining section 2107 is to obtain the function of backup permitted user guide look 2104.

Backup permitted user guide look obtaining section 2107 is examples of permitted user information obtaining section.

Backup authority extraction unit 2108 is in the various access rights in access control policy 2102 records, only extracts the function of the information of having put down in writing the access rights relevant to backup out.

In order to be extracted out, receive the neck privacy key from backup object privacy key obtaining section 106.Then, only extract the information of privacy key access control policy 2102, permit operation neck that object encoding is received and permit operation content representation backup operation out.The result that will obtain by this extraction is hereinafter referred to as " access rights guide look (the backup authority is extracted result out) ".

Effectively access rights extraction unit 2109 is according to the access rights guide look received from described backup authority extraction unit 2108 (the backup authority is extracted result out), consider that backup carries out user profile 2103, backup permitted user guide look 2104, role's hierarchical information 203, can be by the function of the access rights that act on the source information (original information) that generates the access structure based on the role and extract out.The result that will obtain by this extraction is hereinafter referred to as " access rights guide look (effectively access rights are extracted result out) ".

Access structure generating unit 2110 based on the role is for the access rights guide look (effectively access rights are extracted result out) according to being extracted out by effective access rights extraction unit 2109, generates the function of the access structure based on the role.The access structure based on the role of made is identical with the structure shown in execution mode 1.

Backup section 101 is equivalent to the privacy key back-up device 101 shown in execution mode 1, following part, consist of: backup is participated in the user and is had a guide look of obtaining section, access structure obtaining section based on the role, role's hierarchical information obtaining section, validation is forbidden the role combinations obtaining section simultaneously, backup object privacy key obtaining section, all combination producings section, same user role deletion section, validation is forbidden role's deletion section simultaneously, Role Information deletion section, duplicate customer information commons section, repeated combination deletion section, ineffective treatment combination deletion section, the secret through part of general access structure.

Due to identical with execution mode 1, so detailed.

Next, according to Figure 26, the action of the privacy key standby system 3000 of present embodiment is described.

At first in S2601, access control policy obtaining section 2105, from the security strategy that system or application program are managed, obtains access control policy 2102.

Figure 23 illustrates the structure of this access control policy 2102.

Access control policy 2102 is the lists that list the access rights that consist of to permission person N license role name, permit operation content, permit operation object, permission person 1.

The license role name is to specify the information of access rights being distributed to which role.

The permit operation content means the information of permitting which type of operation.

The permit operation object means the information of definition for the access rights of which type of information such as privacy key, log information.

Permission person 1 means that to permission person N these access rights are considered as effective information by access rights when having which role's license.

In the 1st row of the example shown in Figure 24, make the user by the RoleA validation of license role name appointment, have the access rights of the privacy key 1 by the appointment of permit operation object being implemented to the backup shown in the permit operation content, to be limited to the such access rights of situation (in the situation that have a plurality of permission person roles as the 2nd row, being limited to the user who belongs in all permission person roles provides the situation of permitting) that the license of being backed up is provided as belonged to user in RoleA by permission person 1 specifies.

Such access rights become the form of list and form access control policy 2102.

Next, in S2602, backup execution user profile obtaining section 2106 obtains with the user-dependent backup of the back-up processing of wanting executive system or application program to manage carries out user profile 2103.

Figure 25 illustrates the structure that user profile 2103 is carried out in this backup.

Backup is carried out user profile 2103 and is formed to validation role M by carrying out user name and validation role 1.

Carry out the user name that user name means to want to carry out the user of back-up processing.In addition, validation role 1 to validation role M be the guide look that the user carries out the role of validation.

Next, in S2603, backup permitted user guide look obtaining section 2107 is from the security strategy that system or application program are managed, obtain backup to obtaining and carry out the user who comprises in user profile 2103 and backed up such operation in S2602, permit the permission person's of its back-up processing role's guide look to back up permitted user guide look 2104.

Carry out user, operand (privacy key 1 etc.), content of operation (backup etc.) for each, have backup permitted user guide look 2104.

Figure 22 illustrates the structure of backup permitted user guide look 2104.

Backup permitted user guide look 2104 is the right lists that list permitted user name and validation role.

The permitted user name is backup to be carried out to the user backed up such operation, has permitted the permission person's of its back-up processing user name.

The validation role is the role of validation when permitted user has been carried out the license of backup.

Next, in S2604, role's hierarchical information obtaining section 104, from the security strategy that system or application program are managed, obtains the role's hierarchical information 203 associated between the role by the RBAC regulation.

The structure of this role's hierarchical information 203 is identical with the role's hierarchical information 203 shown in execution mode 1, so description thereof is omitted.

Next, in S2605, backup object privacy key obtaining section 106, from the security strategy that system or application program are managed, obtains the user and wants the privacy key backed up.

As shown in Embodiment 1, this privacy key can be the privacy key of known RSA (registered trade mark) password for example, or can be also the shared key of AES password.

Next, in S2606, backup authority extraction unit 2108, in the various access rights of record, only extract the access rights relevant to backup out in the access control policy 2102 of obtaining in S2601.

In extraction, only extract the information of privacy key access control policy 2102, that the permit operation object encoding is obtained in S2605 and permit operation content representation backup operation out.

This extraction is access rights guide look (the backup authority is extracted result out), and structure is identical with access control policy 2102.

Next, in S2607, effectively access rights extraction unit 2109 is from the access rights guide look (the backup authority is extracted result out) generated among S2606, consider to back up and carry out user profile 2103, backup permitted user guide look 2104, role's hierarchical information 203, extraction can be had a guide look of by the access rights that act on the source information that generates the access structure based on the role (effectively access rights are extracted result out).

The main example of two these extraction algorithms is shown.

Initial extraction mode example 1 is the mode of carrying out tight inspection.

At first, from backup, carry out user profile 2103 and obtain validation role 1～validation role M, extract the role consistent with the license role name of the access rights guide look generated (the backup authority is extracted result out) out in S2606.

Now, consider role's hierarchical information 203, also comprise the corresponding situation of the next role of license role name and validation role 1～validation role M that the user carries out validation of access rights guide look (the backup authority is extracted result out), be considered as unanimously extracting out.

And then, confirm whether all roles that put down in writing in permission person 1～permission person N are recorded in some in the validation role of backup permitted user guide look 2104, and only extract out when comprising.

Now, consider role's hierarchical information 203, also comprise the role who puts down in writing in permission person 1～permission person N and back up the corresponding situation of the next role that permitted user is carried out the validation role of validation, be considered as unanimously extracting out.

In addition, permission person 1, to permission person N, about the permission person that there is no assigned role, without comparing processing, and only for the permission person of appointment, compare processing, get final product.

By above operation, in order to generate the access structure based on the role, required access rights are had a guide look of (effectively access rights are extracted result out) in generation.

Extraction mode example 2 is modes that comparison condition is relaxed, and is not distinguish the mode of carrying out user and permitted user and being extracted out.

Particularly, be following mode: only extract the license role name of the access rights guide look (the backup authority is extracted result out) generated and permission person 1 out and be included in backup to permission person N whole and carry out the access rights in the one party in the validation role of validation role 1～validation role M of record in user profile 2103 or backup permitted user guide look 2104 in S2606.

Therefore, the license role name also can be included in some in the validation role of backup permitted user guide look 2104, and permission person 1 also can be included in backup to permission person N whole and carry out in the validation role 1～validation role M put down in writing in user profile 2103.

Now, consider role's hierarchical information 203, in the situation that license role name and the role's who puts down in writing in permission person 1～permission person N upper role and backup carry out record in user profile 2103 validation role 1～validation role M or, the validation role of backup permitted user guide look 2104 is consistent, also extraction.

In addition, from permission person 1 to permission person N, about there is no the permission person of assigned role, without comparing processing, and only for the permission person of appointment, compare processing, get final product.

By above operation, in order to generate the access structure based on the role, required access rights are had a guide look of (effectively access rights are extracted result out) in generation.

Next, in S2608, the access structure generating unit 2110 based on the role, according to the access rights guide look (effectively access rights are extracted result out) generated in S2607, generates the access structure based on the role.

Particularly, take out access rights from access rights guide look (effectively access rights are extracted result out).

The license role name put down in writing in these access rights and permission person 1 are considered as restoring the role's of privacy key combination to permission person N.

That is, become the key element of 1 row in the table of the access structure based on the role shown in pie graph 4.

Wherein, { RoleB, RoleC}, { RoleC, RoleD}, { combination that RoleB, RoleD} are such, if omit record as " 2of{RoleB, RoleC, RoleD} ", can also be cut down data volume in the situation that exist.

The all access rights that comprise in access rights guide look (effectively access rights are extracted result out) are carried out to same conversion and the structure that obtains becomes the access structure based on the role.

Finally, in S2609, backup section 101 is by the method shown in execution mode 1, except the access structure based on the role generated in S2608, user's guide look, role's hierarchical information are participated in the backup of also system or application program being managed, validation forbids that role combinations, privacy key receive as input simultaneously, generation privacy key segment.

In addition, figure 23 illustrates the structure of access control policy 2102, but the structure of access control policy 2102 is according to system and various.

Therefore, also considered to omit the situation of permit operation content, permit operation object.

In this case, also can in S2606, omit the comparison of permit operation content, permit operation object.

In addition, similarly, in the situation that there be not the access control policy 2102 of permission person 1 to the key element of permission person N, be made as and in S2607 and S2608, do not specify the permission person to process to get final product.

In addition, backup shown in Figure 25 is carried out user profile 2103 and is comprised the execution user name, and this is because will carry out user name and validation role 1 is more to the situation that validation role M associates management in real system, so so put down in writing.

But, owing to not needing to carry out user name in the processing of the manner, so also can carry out user profile 2103 and delete from backup.

In addition, in backup permitted user guide look 2104 shown in Figure 22, used the guide look that permitted user name and validation role's group is made as to table.But, owing to not needing the permitted user name in the processing of the manner, so can be also the backup permitted user guide look 2104 only formed by the validation role.

In addition, backup permitted user guide look 2104 shown in Figure 22 is permitted user name and validation role's group to be made as to the guide look of table.If same permitted user provides according to a plurality of roles in the situation of license, by method as following, enumerate and get final product.

That is, (1) enumerates a plurality of Role Informations (in 1 record, enumerating a plurality of Role Informations) in the validation role.(2) as the validation role is only specified to 1 role's compensation, and a plurality of groups (1 record is specified to 1 role, and a plurality of records are set) of enumerating permitted user name and validation role.

In addition, the validation role 1 that user profile 2103 is carried out in backup shown in Figure 25 is to the validation role of validation role N, backup permitted user guide look 2104 shown in Figure 22, having put down in writing the user, to have carried out expressly the situation of Role Information of validation more, but also can the record system replace the user and automatically be made as effective Role Information.In addition, also can be by the manager to the role of user assignment, the role's of user registration information is recited as to the validation role.

In addition, S2601, S2602, S2603, S2604, S2605 independently process respectively, so carry out without the order according to record.Carried out S2601 before S2606, carried out S2602 before S2607, carried out S2603 before S2607, carried out S2604 before S2607, carried out S2605 and get final product before S2606.

In addition, in S2605, exemplified with backup object privacy key obtaining section, the shared key of the privacy key of RSA (registered trade mark) password, AES password is received as input, but, as long as the information received is the information backed up, needn't be exactly the key of cryptographic algorithm.For example, can be also the information such as confidential document, Customer Information.

In addition, in S2606, backup authority extraction unit 2108 is only implemented based on the dwindling of permit operation content and permit operation object, and produces access rights guide look same with access control policy 2102 on structure (the backup authority is extracted result out).But, in processing afterwards, do not need the information of permit operation content and permit operation object, so can be the structure of having deleted permit operation content and permit operation object from access control policy 2102 yet.Structure about access rights guide look (effectively access rights are extracted result out) is also same.

In addition, in S2606, in the access control policy 2102 that backup authority extraction unit 2108 obtains in S2601, in the various access rights of record, the access rights relevant to backup have only been extracted out.It is former because what illustrate is the example of situation about in the secret information management devices, privacy key being backed up.If defined respectively the authority of backup-and-restore, also can instead extract the reduction authority out and be processed.In addition, secret disperse to obtain the operation of secret information carrying out, consider in each system and be called different titles, so need to be retrieved by the operation name that is suitable for this system.

In addition, in S2607 in effective access rights extraction unit 2109, carry out user profile 2103, the guide look 2104 of backup permitted user and role's hierarchical information 203 according to backup and extracted effective access rights out, but also can also consider that to this validation forbids that role combinations is dwindled simultaneously.

In addition, in the present embodiment, for the license role and the permission person role that record and narrate in access rights guide look (the backup authority is extracted result out), backup is carried out to the role who comprises in user profile and backed up the role who comprises in the permitted user guide look being contrasted, and generate the access structure based on the role.

Instead, also can generate the access structure based on the role according to the license role and the permission person role that record and narrate in access rights guide look (the backup authority is extracted result out).

For example, also can generate according to the record of the 1st row of Figure 24 the access structure based on the role that RoleA, RoleA} are such, or generate { RoleA, RoleB, the such access structure based on the role of RoleC} according to the record of the 2nd row.

In addition, the access rights that generate in step S2606 guide look (the backup authority is extracted result out), the access rights guide look (effectively access rights are extracted result out) generated in step S2607, in the situation that the access structure based on the role generated in step S2608 is empty, there do not is the combination of cutting apart secret information, thus the mistake of being made as.

As mentioned above, the access rights that back up according to the license of appointment in access control policy 2102, generate the access structure based on the role according to backup execution user profile 2103, backup permitted user guide look 2104, role's hierarchical information 203, so need only only maintenance access control strategy 2102, just can automatically calculate the role's that can restore privacy key combination, carry out neatly the backup of privacy key.

In addition, owing to considering that the hierarchical structure that the user carries out the role's of validation hierarchical structure, the user that carried out the license of backup carries out the role of validation generates access rights guide look (effectively access rights are extracted result out), even so in the situation that utilized role's hierarchical structure, also can be correctly and automatically generate the access structure based on the role, privacy key is carried out to secret and disperse and generate the privacy key segment.

In addition, owing to selecting and utilizing the user who has implemented backup, the information of having carried out the user of license, so can reduce the complexity of the generated access structure based on the role, compare so distribute the situation of privacy key segment with all users of access rights to registered backup in access control policy 2102, can cut down generation processing, the segment number of privacy key segment.

Finally, the hardware configuration example of the privacy key back-up device 101 shown in execution mode 1,2 and the access structure generating apparatus 2101 based on the role (below, be called privacy key back-up device 101 etc.) described.

Figure 20 is the figure that an example of the hardware resources such as privacy key back-up device 101 shown in execution mode 1,2 is shown.

In addition, the structure of Figure 20 only illustrates an example of privacy key back-up device 101 hardware configurations such as grade, and privacy key back-up device 101 hardware configurations such as grade are not limited to the structure of Figure 20 record, and can be also other structures.

In Figure 20, privacy key back-up device 101 grades possess the CPU911 (Central ProcessingUnit also is called central processing unit, processing unit, arithmetic unit, microprocessor, microcomputer, processor) of executive program.

CPU911 is via bus 912, for example, be connected with ROM (Read Only Memory) 913, RAM (Random Access Memory) 914, communication board (communicationboard) 915, display unit 901, keyboard 902, mouse 903, disk set 920, these hardware devices are controlled.

And then CPU911 also can be connected with FDD904 (Flexible Disk Drive), compact disc device 905 (CDD), print apparatus 906, scanner device 907.In addition, also can replace disk set 920, and use the storage devices such as optical disc apparatus, storage card (registered trade mark) read-write equipment.

RAM914 is an example of volatile memory.The storage medium of ROM913, FDD904, CDD905, disk set 920 is examples of nonvolatile memory.They are examples of storage device.

Communication board 915, keyboard 902, mouse 903, scanner device 907, FDD904 etc. are examples of input unit.

In addition, communication board 915, display unit 901, print apparatus 906 etc. are examples of output device.

For example, communication board 915 is connected with LAN (local area network (LAN)), internet, WAN (wide area network) etc.

In disk set 920, operating system 921 (OS), windows system (windowsystem) 922, program group 923, file group 924 have been stored.

CPU911 utilizes operating system 921, windows system 922 to carry out executive program group 923 program.

In addition, in RAM914, temporarily preserved at least a portion in the program of program, application program of the operating system 921 that CPU911 is carried out.

In addition, in RAM914, various data required in the processing of being undertaken by CPU911 have been preserved.

In addition, in ROM913, preserve BIOS (Basic Input Output System, basic input output system) program, in disk set 920, preserved boot (bootprogram).

When 101 starting such as grade of privacy key back-up device, carry out the bios program of ROM913 and the boot of disk set 920, by bios program and boot, start-up function system 921.

In described program group 923, stored the program of the function of "～section " that is illustrated as of carrying out in the explanation of execution mode 1,2.By CPU911, read and executive program.

In file group 924, also can comprise that backup participates in that the user has a guide look of 201, the access structure based on the role 202, role's hierarchical information 203, validation forbids that role combinations 204, privacy key 205, access control policy 2102, backup carry out user profile 2103, backup permitted user guide look 2104 simultaneously.

In addition, the user's who extracts out combination (Figure 10～Figure 17), access rights guide look (the backup authority is extracted result out) and access rights guide look (effectively access rights are extracted result out) etc. are stored in RAM914, disk set 920, not shown cache memory, buffer storage, register etc.

And then the privacy key segment generated according to privacy key 205 also is stored in RAM914, disk set 920, not shown cache memory, buffer storage, register etc.

In addition, in file group 924, projects that information, data, signal value, variate-value, the Parameter storage of result that is illustrated as the processing of "～judgement ", "～obtain ", "～extraction ", "～comparison ", "～deletion ", "～renewal ", "～setting ", "～registration ", "～detection " etc. by being illustrated in the explanation of execution mode 1,2 is "～file ", "～database ".

"～file ", "～database " are stored in the recording mediums such as dish, memory.Information, data, signal value, variate-value, the parameter that by CPU911, via read/write circuit, will be stored in the storage mediums such as dish, memory read in main storage, cache memory, and for extracting the action of retrieval with reference to CPU such as comparison operation computing editor output typographical displaies out.

During the action of extracting retrieval exports typographical display CPU with reference to comparison operation computing editor out, information, data, signal value, variate-value, parameter are temporarily stored in main storage, register, cache memory, buffer storage etc.

In addition, in execution mode 1,2, the part of arrow of the flow chart of explanation mainly means the input and output of data, signal, and data, signal value are recorded in the recording medium such as the disk, other CDs, mini-disk (mini disk), DVD of compact disc, the disk set 920 of floppy disk, the CDD905 of memory, the FDD904 of RAM914.In addition, by bus 912, holding wire, cable, other transmission mediums, come online (online) to transmit data, signal.

In addition, the part that is illustrated as "～section " in the explanation of execution mode 1,2 can be both "～circuit ", "～device ", "～machine ", and can be also "～step ", "～program ", "～processing ".That is the part that, is illustrated as "～section " also can realize by the firmware be stored in ROM913.Perhaps, also can only pass through software, or only by hardware such as component devices substrate wirings, or by the combination of software and hardware, and then implement by the combination with firmware.Firmware and software are stored in the recording mediums such as disk, floppy disk, CD, compact disc, mini-disk, DVD as program.By CPU911, read and by the CPU911 executive program.That is, program makes computer as "～the section " of execution mode 1,2 and the performance function.Perhaps, make computer carry out step, the method for "～the section " of execution mode 1,2.

Like this, privacy key back-up device 101 shown in execution mode 1,2 etc. be possess CPU as processing unit, as the memory of storage device, disk etc., keyboard as input unit, mouse, communication board etc., as the computer of the display unit of output device, communication board etc., realize the function illustrated as "～section " as mentioned above with these processing unit, storage device, input unit, output device.

Claims (12)

1. a secret information management devices is extracted out and is become the gerentocratic user of cutting apart secret information more than 2 of cutting apart from secret information from a plurality of users, and this secret information management devices is characterised in that to have:

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, the assigned role information that to obtain the role representation more than 2 be assigned role; And

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, generation becomes the gerentocratic user's of cutting apart secret information combination

Described secret information management devices also has the secret information cutting part, and this secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generates and cuts apart secret information.

2. secret information management devices according to claim 1, is characterized in that,

The existence of described assigned role information obtaining section obtains the situation that at least 2 assigned roles is repeated to mean same role's assigned role information,

Described user's extraction unit is in the situation that described assigned role information repeats to mean same role, extract respectively the user out at least 2 assigned roles as same role, and, from the combination that becomes the gerentocratic user of cutting apart secret information, remove distributed same user's combination as at least 2 assigned roles of same role.

3. secret information management devices according to claim 1, is characterized in that,

The existence of described user role information obtaining section obtains the situation of the user's who means to possess the role more than 2 user role information,

Described secret information management devices also has combination simultaneously and forbids the Role Information obtaining section, this combines simultaneously forbids that the Role Information obtaining section obtains the combination when role is forbidden in combination simultaneously of the role representation more than 2 that will forbid distributes same user and forbids Role Information

Described user's extraction unit is extracted the user out for each assigned role, and, from the combination that becomes the gerentocratic user of cutting apart secret information, removes with combination simultaneously, forbidding corresponding at least 2 combinations that assigned role has distributed same user of role.

4. secret information management devices according to claim 1, is characterized in that,

The existence of described user role information obtaining section obtains the situation of the user's who means to possess upper role user role information, and wherein, this upper Role including other roles more than 1 are as the next role,

Described secret information management devices also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

The inclusion relation that described user's extraction unit is represented according to inclusion relation information, in the situation that be assigned role by some the next role representations in assigned role information, derivation is as the next role's of assigned role upper role, extraction possesses the role's who meets with the next role as assigned role user, and is mapped and extracts the user who possesses the role that the upper role with the next role as assigned role meets out with this next role.

5. secret information management devices according to claim 4, is characterized in that,

Described secret information management devices also has combination simultaneously and forbids the Role Information obtaining section, this combines simultaneously forbids that the Role Information obtaining section obtains the combination when role is forbidden in combination simultaneously of the role representation more than 2 that will forbid distributes same user and forbids Role Information

Described user's extraction unit is in the situation that the next Role including is forbidden the role in combination simultaneously, from the combination that becomes the gerentocratic user of cutting apart secret information, remove combination is simultaneously forbidden to the combination that some other assigned roles that the next role's that comprises in the role upper role and combination are simultaneously forbidden comprising in the role have distributed same user.

6. secret information management devices according to claim 1, is characterized in that,

The combination extract information meaned together with described user's extraction unit generation possesses generated user's combination role with each user,

Described secret information management devices also has:

Role Information deletion section, each user's of deletion role's information from described combination extract information;

User's repetition in the situation that the combination of same subscriber that had repeated combination in described combination extract information, is removed from this combination by duplicate customer information commons section;

Repeated combination deletion section, in the situation that have in described combination extract information that user's only DISPLAY ORDER is different, the combination repeated is removed in the combination more than 2 of having combined same subscriber; And

Ineffective treatment combination deletion section, in described combination extract information, some users' combination is contained in the situation in other users' combination, removes the combination be contained in other combinations.

7. an information processor has:

Access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role;

The combination extraction unit, this combination extraction unit is extracted the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of consistent and each the permission person role of executor role's execution user role represented with described execution user profile and described permitted user information; This combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and wherein, the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role;

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, obtain the assigned role information generated by described combination extraction unit;

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, becomes the gerentocratic user's of cutting apart secret information combination; And

The secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generate and cut apart secret information.

8. information processor according to claim 7, is characterized in that,

There is following situation in described execution user profile obtaining section: obtain the situation as the execution user profile of carrying out the user role upper role that to mean other Role includings more than 1 be the next role,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge that whether executor role is corresponding with the next role who carries out user role, in executor role and the corresponding situation of the next role of carrying out user role, whether each permission person role that judgement is combined with this executor role some consistent with in the permitted user role.

9. information processor according to claim 7, is characterized in that,

There is following situation in described permitted user information obtaining section: the situation of the upper role's that to obtain as the permitted user role representation be the next role by other Role includings more than 1 permitted user information,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge that whether each permission person role is corresponding with permitted user role's the next role, and extract following combination out: the combination that at least a portion of all permission person roles and remaining permission person role corresponding with permitted user role's the next role and permitted user role are consistent.

10. information processor according to claim 7, is characterized in that,

Described combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role.

11. an information processor has:

Access control policy information obtaining section, obtain the access control policy information of a plurality of combinations that mean executor role and the permission person role more than 1, wherein, this executor role is the role of the access of the licensed secret information for having limited access, and this permission person role is the role for the access of described secret information to described executor role's license;

Carry out the user profile obtaining section, obtain execution user profile, it is the execution user role that this executions user profile will be carried out the role representation more than 1 that the execution user for the access of described secret information possesses;

Permitted user information obtaining section, obtain permitted user information, and the role representation more than 1 that this permitted user information will permit the permitted user for the access of described secret information to possess to described execution user is the permitted user role; And

The combination extraction unit, this combination extraction unit is extracted the following combination in the combination represented in described access control policy information out: the some consistent combination in the represented permitted user role of the execution user role that executor role and each permission person role are represented with described execution user profile and described permitted user information; This combination extraction unit, according to the represented role of combination who extracts out, generates assigned role information, and wherein, the gerentocratic role representation of cutting apart secret information more than 2 that this assigned role information will be cut apart from described secret information is assigned role;

User role information obtaining section, obtain the role's who means that a plurality of users possess respectively user role information;

Assigned role information obtaining section, obtain the assigned role information generated by described combination extraction unit;

User's extraction unit, to described user role information, each represented assigned role of each represented user role and described assigned role information compares, extract the user who possesses the role who meets out for each assigned role, combination according to assigned role is combined extracted out user, becomes the gerentocratic user's of cutting apart secret information combination; And

The secret information cutting part, according to the combination that becomes the gerentocratic user of cutting apart secret information generated by described user's extraction unit, generate and cut apart secret information.

12. information processor according to claim 11, is characterized in that,

There is following situation in described execution user profile obtaining section: obtain the situation as the execution user profile of carrying out the user role upper role that to mean other Role includings more than 1 be the next role,

There is following situation in described permitted user information obtaining section: the situation of the upper role's that to obtain as the permitted user role representation be the next role by other Role includings more than 1 permitted user information,

Described information processor also has inclusion relation information obtaining section, and this inclusion relation information obtaining section obtains the inclusion relation information of the inclusion relation that means upper role and the next role,

Described combination extraction unit is according to the represented inclusion relation of described inclusion relation information, judge executor role and each permission person role whether with the next role who carries out user role and permitted user role's the next role in some corresponding, and extract following combination out: some corresponding at least a portion of executor role and all permission person roles and the next role who carries out user role and permitted user role's the next role, and the remainder in executor role and all permission person roles with carry out user role and permitted user role in some consistent combination.

Images